0207 014 8060 [email protected]

ansteybond Letter of Engagement GDPR and Data Protection Amendments 2018


1. Electronic Communication

1.1. As Internet communications are capable of data corruption we do not accept any responsibility for changes made to such communications after their despatch. We have made every reasonable effort according to the General Data Protection Regulation to ensure secure, authentic electronic communications. For this reason it may be inappropriate to rely on advice contained in an e-mail without obtaining written confirmation of it. All risks connected with sending commercially sensitive information relating to your business are borne by you and are not our responsibility until the information is received by our servers. If you do not accept this risk, you should notify us in writing that email is not an acceptable means of communication.

1.2. E-mail may be used to enable us to communicate with you, however any personal information/data will be communicated via more secure means. As with other means of delivery this carries with it the risk of inadvertent misdirection or non-delivery. It is the responsibility of the recipient to carry out a virus check on any attachments received.

2.Privacy & Data Protection Act 1998 as amended by General Data Protection Regulation

2.1. For the purpose of this clause:

2.1.1. Data Protection Legislation means the Data Protection Act 1998, the EU Data Protection Directive 95/46/EC, the Electronic Communications Data Protection Directive 2002/58/EC, the Privacy and Electronic Communications (EC Directive) Regulations 2003, and Regulation (EU) 2016/679 known as the General Data Protection Regulation (GDPR), as each of the foregoing may be amended, replaced or re-enacted from time to time and all applicable laws and regulations relating to the processing of personal data and privacy including where applicable the guidance and codes of practice issued by the ICO or other relevant supervisory authority and the equivalent of any of the foregoing in any relevant jurisdiction (whether mandatory or not);

2.1.2. ICO means the Information Commissioner’s Office or any successor regulatory authority;

2.1.3.terms defined in GDPR shall have the meaning given in GDPR;

2.1.4.Shared Data means the personal data and sensitive personal data described in 2.3.4;

2.1.5.you are the controller of the Shared Data and we are the processor of the Shared Data.

2.2. We shall comply at all times with the Data Protection Legislation, and shall not perform our obligations under this
engagement in such a way as to cause the other party to breach any of its obligations under the Data Protection Legislation.

2.3. We shall:

2.3.1. only process the Shared Data, to the extent that, and in such a manner as, is strictly necessary for the purposes of performing our obligations under this engagement and in accordance with or on your lawful documented instructions and we shall not process the Shared Data for any other purpose, unless we are required to process the Shared Data by the laws of any member of the European Union or by the laws of the European Union to which we are subject (Applicable Laws). Where we are required by any Applicable Law to process the Shared Data, we shall promptly notify you of this before processing, unless the Applicable Law prohibits us from notifying you on important grounds of public interest;

2.3.2. not transfer the Shared Data outside of the European Economic Area other than either (i) with your prior consent or (ii) where the following conditions are fulfilled; appropriate safeguards are in place in relation to the transfer; we comply with our obligations under the Data Protection Legislation by providing an adequate level of protection to any Shared Data that is transferred; the data subjects have enforceable rights and effective legal remedies; and

2.3.3. ensure that persons authorised to process the Shared Data are obliged to keep the Shared Data confidential;

2.3.4. at all times implement sufficient and appropriate technical and organisational measures to protect the Shared
Data against unauthorised or unlawful processing, disclosure or access and accidental or unlawful destruction,
loss, alteration or damage (a Data Breach), which are appropriate to (a) the harm that might result from a Data Breach and (b) the nature of the Shared Data, having regard to the state of technological developments and the cost of implementing any measures. Those measures may include, where appropriate, pseudonymising and encrypting the Shared Data, ensuring the confidentiality, integrity, availability and resilience of our processing systems and services, ensuring that availability of and access to Shared Data can be restored in a timely manner after a Data Breach or other physical or technical incident and having a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing);

2.3.5. not engage another processor (the Sub-processor) to process any Shared Data unless we have provided you with full details of the Sub-processor and you have given your prior written consent to their engagement;

2.3.6. assist you to fulfil your obligations to respond to requests from individuals’ to exercise their rights under the Data Protection Legislation by implementing appropriate technical and organisational measures;

2.3.7. promptly notify you if we suffer a personal data breach that affects any Shared Data and assist you to comply with your obligations to notify such personal data breach to the ICO and any affected individuals in accordance with Articles 33 and 34 of GDPR;

2.3.8. upon the expiry or termination of this engagement for any reason, delete or return all Shared Data to you, as instructed by you, unless we are required by any Applicable Law to retain the Shared Data.

2.4. Shared Data

2.4.1. Subject matter and duration of processing We will process the Shared Data in order to provide the Services to you as described in clause 1. The processing will last for the duration of this engagement and for such period after the expiry or termination of this engagement to allow us to comply with our legal obligations and return or delete the Shared Data as instructed by you.

2.4.2. Nature and purpose of the processing processing of the Shared Data will involve the collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination of the Shared Data for the purposes of us providing the Services to you.

2.4.3. Type of personal data and categories of data subject The Shared Data comprises:

personal data
contact details
date of birth
financial information
sensitive personal data

racial or ethnic origin;
political opinions;
religious or philosophical beliefs;
trade union membership;
health; and
sex life or sexual orientation. Shared Data relates to the following types of data subjects:


2.5. With your permission we may obtain, use, process and disclose personal data about you. We shall use such data to enable us, or any company associated with us (these are any people or entities with whom we would be reasonably expected to associate) to discharge the services agreed under this engagement. These include updating and enhancing client records, analysis for management purposes and statutory return, crime prevention and legal and regulatory compliance.

2.6. You have a right of access, under general data protection regulations, to the personal data that we hold about you. For your information, these rights are to be informed, to rectify, to access, to remove, to restrict processing, to data portability (transferring) and to object to any information that we hold about you. For any questions regarding GDPR, please contact us at [email protected]

Cyber Essentials ceritifed